JCPenney got hit by the ransomware group ShinyHunters in June 2026, and the hackers claim they walked away with hundreds of thousands of records, Social Security numbers, W-2 tax forms, payroll data, and government-issued IDs, primarily from current and former employees.
This wasn’t a customer credit card breach. It went after HR.
What the hackers say they took
ShinyHunters posted the claim on June 12, alleging they’d stolen records containing Social Security numbers, dates of birth, W-2 forms, payroll records, driver’s licenses, government ID scans, home addresses, phone numbers, and roughly 368,000 corporate and personal email addresses.
The group gave JCPenney until June 15 to make contact before threatening to release the data. No data samples were published to back up the claims, and Catalyst Brands, JCPenney’s parent company, hasn’t confirmed the full scope publicly.
Multiple law firms have already launched investigations. Edelson Lechtzin LLP filed a notice of investigation shortly after the news broke. Class action attorneys have been gathering affected employees since.
Why this is worse than a card breach
A stolen credit card number gets canceled and replaced. A Social Security number is yours for life.
If the ShinyHunters claims hold up, anyone who’s ever been on JCPenney’s payroll could be looking at years of downstream risk. W-2 forms alone contain enough information to file a fraudulent tax return in your name, apply for credit, or open financial accounts without your knowledge.
Catalyst Brands also owns Brooks Brothers, Eddie Bauer, Lucky Brand, Nautica, and Aéropostale. If the breach hit shared HR infrastructure, the exposure doesn’t stop at JCPenney.
Current and former employees should place a credit freeze with all three bureaus now, it’s free and blocks new accounts from being opened in your name. Check HaveIBeenPwned.com to see if your email has appeared in any verified breach. And file taxes as early as possible next season: fraudulent returns are typically filed before you are.
This comes at an already rough moment
JCPenney shed more than $300 million in top-line sales in its most recent fiscal year. A $947 million deal to restructure 119 store properties collapsed before closing. The company also just announced a humanoid robot partnership with Figure AI, with the first deployment at its Reno distribution center, a signal of where retail warehouse jobs are heading.
A data breach in the middle of all that is a bad look for a retailer already fighting to stay relevant in 2026.
For more tech and data security news, see Phundi’s Tech section.
Related: Google Just Warned About a Scam That Gets Into Your Calendar Without a Single Click
